Meet The Virtual ATM Skimmers

Just when you thought that you and your ATM card data were safe from criminal eyes, Scientific American brings a different sort of threat. This time, the skimmers are inside the machine. Malware within the ATM itself harvests enough data to do some very bad things.

They’ve been spotted in the wild in Eastern Europe, and may soon arrive in the US. How do they work?

[The malware] allows a gang member to walk up to an ATM, insert a “trigger” card, and use the machine’s receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates – and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine’s banknote storage cassette into the street.

How does this malware work and remain undetected? It’s an innocent-looking Windows program.

…a 50-kilobyte piece of malware disguised as a legitimate Windows program called lsass.exe. In a PC, this helps the Microsoft operating system cache session data – so users don’t have to re-enter their passwords every time they get a new email, for example.

This is a clever choice of camouflage, says SpiderLabs’ forensics manager Stephen Venter: to an IT staffer, lsass.exe doesn’t look out of place in a Windows system, so routine checks wouldn’t necessarily pick it up. Yet it has no useful function in an ATM.

Once installed, the malware implements a “card data harvesting” routine, SpiderLabs said in an alert to banks issued at the end of May. When a customer inserts their card, the malware records to hard disc its account number, start date, expiry date and three-digit security code, as well as the PIN entered.

So, a secret invisible program that harvests customer data and controls the ATM. I can’t wait!